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To effectively protect the UK public’s personal information in a digital global 
environment, the ICO needs to co-operate and act internationally. This 
International Strategy seeks to enhance privacy protection for the UK public. 


Recognising that the ICO needs to be agile in an ever-changing world, it will be 
regularly reviewed and updated in response to new challenges and opportunities. 


This international strategy supports our 2017 Information Rights Strategic Plan. 


Part one sets out the main challenges we face and their associated priorities. 
Part two covers ICO structure and resourcing, engagement and evaluation. 


Part one: Challenges and priorities 


Challenge 1: To operate as an effective and influential data 
protection authority at European level while the UK remains a 
member of the EU and when the UK has left the EU, or during 
any transitional period. 


As the UK prepares to leave the EU, the formal relationship between the ICO and 
EU data protection authorities will change. Our relationship with our EU partners 
will remain highly important, including with the European Data Protection Board 
(EDPB) which will operate from May 2018 and on which the ICO will remain 
active and engaged until the UK’s exit. In overseeing the enforcement of the 
General Data Protection Regulation (GDPR) from 2018, and issuing guidance, the 
EDPB will be a highly influential global player in setting the direction for data 
protection and privacy standards. 


The strategy recognises that our direction on many of these challenges will often 
be driven by the outcome of the negotiations between the UK and the EU. Our 
priorities are designed to be compatible with a range of scenarios and enable the 
ICO to respond flexibly to different circumstances. 


In 2017, the Secretary of State, Karen Bradley, and the UK Minister responsible 
for the digital economy, Matthew Hancock, made several statements to 
Parliament declaring the UK Government’s commitment to comprehensively 
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implementing GDPR, as planned, in 2018. The June 2017 Queen's Speech 
included a commitment to introduce a Data Protection Bill: 


“To implement the General Data Protection Regulation and 
the new Directive which applies to law enforcement data 
processing, meeting our obligations while we remain an EU 
member state and helping to put the UK in the best position 
to maintain our ability to share data with other EU member 
states and internationally after we leave the EU.” 


Our strategy presumes that GDPR will also be assumed into UK law before exit 
to ensure there is continuity and certainty about UK law afterwards. 


The ICO recognises the importance of the UK retaining a high standard of data 
protection and data protection as a fundamental right. Our strategy recognises 
the possible role of EU laws and the Council of Europe in this after Brexit, 
directly or indirectly. 


Challenge 1: priorities 


To meet this first challenge we have identified three priorities in order to 
implement GDPR and to ensure we can collaborate with European Data 
Protection Authorities. 


1.1 Expert advice to the UK government 


We will provide expert advice to the UK Government on the data 
protection implications of leaving the EU, in particular about the ICO’s 
relationship with the EDPB. 


1.2 Strong engagement with the Article 29 Working Party and EDPB 


e We will continue to work as a full member of the Article 29 Working Party 
which consists of the independent data protection authorities of member 
states of the EU - and as part of the EDPB from 2018, until the UK exits 
the EU. 


e Recognising that our role may be in shaped by the Brexit negotiations, we 
will seek to maintain a strong working relationship with the EDPB when 
the UK exits the EU. We will also seek to strengthen bilateral relationships 
with individual EU data protection authorities where appropriate. 
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1.3 Wider European engagement 


e In addition to the Article 29 Working Party and the EDPB, We will continue 
to engage with other European groups of data protection authorities. 


e We will seek to engage with the Council of Europe, to explore the role of 
Convention 108 as a data protection standard. 


e We will seek to engage with specialist EU working groups that consider 
data protection related to law-enforcement data sharing, recognising that 
our role will be shaped by the Brexit negotiations. 


e Where relevant and appropriate, we will maintain an active dialogue with 
Members of the European Parliament. 


Challenge 2: Maximising the ICO’s relevance and delivery 
against its objectives in an increasingly globalised world with 
rapid growth of online technologies. 


In the last 20 years the ICO has built a reputation as an influential and 
respected data protection authority internationally. Information rights regulation, 
and in particular data protection regulation, has an increasingly international 
dimension. Effective protection of the UK public's personal information becomes 
increasingly complex and less visible as data flows across borders so the UK 
needs a regulator with greater global reach and influence. Our approach will also 
recognise the economic and social benefits to the UK of having influence in a 
globally connected world and digital economy. 


Challenge 2: priorities 


To meet this second challenge we have identified the following priorities: 


2.1 Global relationships 


e We will continue to engage with leading international privacy networks 
and explore relationships with networks where we have not engaged 
previously, for example in the Asia Pacific region. 


e We will continue to develop stronger links with data protection authorities 
in Commonwealth countries via our leadership of the Common Thread 
Network. This will Support and build capacity with other data protection 
authorities, increasing opportunities for international collaboration, 
particularly with emerging or fast-developing economies. 
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Where opportunities exist to develop new networks that will meet our 
strategic priorities, and not duplicate other networks, we will take the 
initiative to lead their development. 


We will prioritise international engagement on issues related to global 
privacy risks arising from the application of new technologies. 


2.2 Enforcement 


We will continue to play a leading role in joined up, efficient and effective 
international enforcement co-operation mechanisms that can lead to 
better enforcement of data protection compliance in the UK. 


We will invest in bi-lateral relationships, including enforcement co- 
operation, with the most strategically important economies and data 
protection/privacy authorities globally. 


2.3 Knowledge exchange, guidance and standards 


We will explore new links with international bodies and regulatory 
networks that do not focus on data protection but have an important 
influence on developing global standards that affect data protection. 


To promote knowledge exchange in priority areas, we will seek to develop 
new relationships with think tanks, academic and civil society networks. 


The ICO's new Grants Programme, launched in 2017, will be open to such 
bodies. 


2.4 Freedom of Information 


We will share information and knowledge with other independent bodies 
responsible for enforcing and promoting freedom of information laws. We 
will support work to identify common standards for freedom of information 
laws and progressive transparency. 


We will support work to develop a regular European Information 
Commissioners” conference and collaborate on projects of common 
interest, such as the transparency of outsourced public services. 


Challenge 3: Ensuring that UK data protection law and practice 
is a benchmark for high global standards. 


The ICO has benefited from its status as a European Data Protection Authority 
and a data protection regulator with over 30 years’ experience. It is vital that 
the UK retains a high standard of data protection law to provide effective 
safeguards for the public in practice. To enable the ICO to be recognised as a 
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leading regulatory partner, and to enable international data flows, UK data 
protection needs to continue to be recognised as a globally leading standard. 
Internationally, data protection and privacy laws are converging and the UK 
needs to keep pace with these developments. 


Challenge 3: priorities 


To meet this challenge we have identified the following priorities: 


3.1 Collaborate 


e We will collaborate with the international business community and other 
stakeholders to support work to turn the GDPR’s accountability principles 
into a robust but flexible global solution. 

e We will continue to take part in international work to promote global data 
protection standards and the long-term aim of a global data protection 
and privacy agreement or treaty. 


Challenge 4: Addressing the uncertainty of the legal 
protections for international data flows to and from the EU, 
and beyond, including adequacy. 


Global data flows are central to the digital economy. Ensuring there are effective 
safeguards for data transferred internationally continues to be important in 
effective data protection. 


Challenge 4: priorities 


To meet this challenge we have identified the following priority: 


4.1 Protecting personal data flows 


e We will provide expert advice to the UK Government and Parliament on 
international data flows. 


e We will seek to explore the concept of the UK as a ‘global data protection 
gateway’ — a country with a high standard of data protection law which is 
effectively interoperable with different legal systems that protect 
international flows of personal data. 


e We will work to ensure that personal data transferred from the UK to third 
countries continues to be adequately protected. 
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We will support work to develop new mechanisms to enable international 
transfers, such as codes of conduct and certification under the GDPR. 


We will support the development of mechanisms to support better 
interoperability between the UK's data protection laws and other systems 
such as the APEC Cross Border Privacy Rules (CBPR). 


Part two — ICO structure and resourcing, 
engagement and evaluation 


1. 


1.1 


1.2 


1.3 


1.4 


ICO structure 


We will establish a new International Strategy and Intelligence 
Department, creating an ICO department with international activity as 
its core focus for the first time. 


We will add new resources to our international team to support the 
delivery of the strategy. 


We will explore the possibility of further staff exchanges and 
secondments with other data protection authorities and relevant 
international organisations. 


We will embed stronger links with international work in relevant ICO 
projects and cross-office working. 


2. Engagement 


2.1 


2.2 


2.3 


2.4 
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As well as meetings that cover our essential international obligations 
we will seek to prioritise attendance at meetings and events that meet 
this strategy’s objectives. 


We will bid to host the International Conference of Data Protection and 
Privacy Commissioners, promoting the potential of the UK as a global 
data protection gateway, with a high standard of data protection law 
and practice. 


Jointly with the Scottish Information Commissioner, we will host the 
2017 International Conference of Information Commissioners in 
Manchester (focused on Freedom of Information). 


We will host the 2017 European data protection case handling 
workshop and Global Privacy Enforcement Network (GPEN) 
practitioners’ workshop. 


2.5 


2.6 


2.7 


We will seek to agree revised or new agreements with key data 
protection and privacy enforcement authorities globally. This will 
enhance reciprocal enforcement capabilities and information exchange 


We will seek to promote ICO guidance to global audiences, and seek 
their feedback, particularly in areas related to technology and 
accountability. 


We will develop and maintain a new international stakeholder mapping 
to guide how we prioritise our work. 


3. Measurement and evaluation 


3.1 


3.2 
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We will develop a reporting mechanism that evaluates the value of our 
international activities and links to relevant departmental business 
plans. 


We will also include a dedicated section in the Information 
Commissioner's annual report reporting against this International 
Strategy. 


